-F: scan 100 most popular ports
-p<port1>-<port2>: port range
-p<port1>,<port2>,...: port list
-pU:53,U:110,T20-445: mix TCP and UDP
-r: scan ports consecutively - don't randomize
--top-ports <n>: scan n most popular ports
-p-65535: leaving off initial ports make nmap scan start at port 1
-p0-: leaving off end port makes nmap scan up to port 65535
-p: leaving off start and end port makes nmap scan ports 1-65535
-Pn: treat all hosts as online -- skip host discovery
-PB: default probe (TCP 80, 445 & ICMP)
-PS<port list>: check wheter targets are up by probing TCP ports
-PE: use ICMP echo request.
-PP: use ICMP timestamp request.
-PM: use ICMP netmask request.
-sn: probe only (host discovery, not port scan)
-sT: TCP connect scan
-sU: UDP scan
-sV: version scan
-O: OS detection
--scanflags: set custom list of TCP using URGACKPSHRSTSYNFIN in asy order.
-T0: paranoid scan, a very slow scan (used for IDS evasion)
-T1: sneaky scan, excellent for avoiding firewalls (used for IDS evasion)
-T2: polite scan, unlikely to interfere with the target system (-10 times slower than default)
-T3: normal scan, the default NMAP timing template (based on target responsiveness)
-T4: aggressive scan, provides faster results on LANs (may overwhelm targets)
-T5: insane scan, a fast aggressive scan (will likely overwhelm targets or miss open ports)
-oN: standard nmap output
-oG: greppable format
-oX: XML format
-oA <basename>: generate nmap, greppable, and XML output files using basename for files
--script: specify a script to run on the target
-sC: equivalent to --script=default
-n/-R: never do DNS resolution/Always resolve [default: sometimes]
-6: use IPv6 only
-A: use several features, includinig OS detection, version detection, script scanning (default), and traceroute.
--reason: display reason nmap thinks port is open, closed, or filtered.
--open: only show open (or possibly open) ports
-v: increase verbosity level (use -vv or more for greater effect)